On Dec 9, 2007 12:02 AM, jf <[EMAIL PROTECTED]> wrote: > ... > It's really quite simple. If you or I can setup a tor node and use it to > mitm/pop people/etc, or use it and the various tracking methods previously > shown (wasnt it hd who did the js/flash callhome stuff?)
there is no "if", anyone can join the network and contribute, including exit traffic. a proper _implementation_ and _use_ of Tor will protect against the leakage you describe. improved scanning of the Tor network and rapid flagging of "bad exit"s at the directories is a work in progress and can definitely be improved upon. HD Moore did write a tool to check for common side channels and obtain the true IP this way: http://metasploit.com/research/misc/decloak/ to date, JanusVM (and most other transparent proxy impls) have protected against these and all other known side channel attacks like this that trick some plugin or externally launched app to reveal the user's IP. and there are a lot of them for many different content types... > If you consider who has those types of resources you're basically stuck > with mega-corporations, governments, telcos and potentially some > spammers/botnets. the most significant compromise of Tor to date was pulled off by two people and three broadband lines, actually. the biggest threats to Tor users are implementation and usage weaknesses, not attacks on the onion routing design or the network as a whole. > That all considered, it becomes obvious that, if you presume that its > goal was anonymity to everyone, which is dubious at best if you consider > some of its .mil background, that this is a deep design flaw. Or at least > that's my opinion. a useful anonymity service is like a utility; it needs lots of different types of participants and provides for a common need. in this sense, .mil background only shows that the Navy understood this, and for Tor to be truly useful they had to set it free. the code is available for all, and the network has continued to grow in size and diversity (mostly). the hardest part of anonymity for everybody is usability and scale. Tor has significant hurdles yet to address in this respect, but this can be hardly viewed as failure and design flaw, more like growing pains... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
